Pass vault variables into large config vault file.

[Colin Byrne]

Hey, 

So I have a large config file that needs to be encrypted when pushed to a private repository. There are multiple server groups which it would be pushed too, so ideally I would be able to pass vars in to it, depending on the group. These vars would have to be encrypted as well.  I feel like I have a pretty good understanding of the vault and its capabilities and limitations, and I am not sure if this would be possible for two reasons:

1. Ansible vault does not seem to be able to encrypt full files, just variable files (although my large config file is natively a .yml files, so It may be possible in this case)

2. I haven't seen anyone else pass a vault variable into another vault-decrypted file 

I am still just getting started with ansible and am therefore pretty slow, so I just wanted to know your opinions on the feasibility of this before I invest the time. Is there another simple encryption method that I could achieve the same results with?

Sincere thanks for any help, C

[Alexey Vazhnov]

May be you need to use big template with some vars stored in vault storage?

[Colin Byrne]

But can you encrypt the template somehow?

[Alexey Vazhnov]

No, I suggest to use big unencrypted template with no private data and crypted variables in vault storage. Usually in big configuration file not all data need to be secured, only some variables.